If this is your first visit, be sure to
check out the FAQ by clicking the
link above. You may have to register
before you can post: click the register link above to proceed. To start viewing messages,
select the forum that you want to visit from the selection below.

Update
Using the uninstall from program files\disc folder stopped myFTP.exe from accessing the internet via Rockford.discoverconsole.com.
I believed the full problem to be resolved. I was wrong
ZoneAlarm is still blocking daily and regular attempts to access miorsocft.com (this is the correct spelling at easy glance it might be mistaken as Microsoft) at IP 218.66.104.248 via Winlogon.exe.
I believe this to be a key logger of some type.
Beware, if you have an unprotected machine, it may be attempting to steal your accounts and passwords.
I have used Microsoft's RootKitRevealer, Spybot, Norton Anti-virus, Norton SystemWorks and ZoneAlarm to no avail.
Searching the web has not revealed a solution.
ZoneAlarm recently identified win32.backdoor.agent.aro spyware and quarentineed it, but the winlogon.exe attempts to miorsocft.com continues.
I use Microsoft FrontPage to edit a couple of 3rd party hosted web sites.
Those sites were compromized, apparently by miorsocft.com,
and the infection latter 'cleaned' by their anti-virus update as admitted by
the ISP.
I have cleaned up the code, where necessary, both on my computer and web host.
I have not logged on to these sites in the last 2 weeks
I have re-established the FP security protocol on the 3rd party host.
Researching this issue on net has found obscure references to rsbo.exe kb1ss1p.dll kb1ss1p.sys in3.dll - I have found none of the programs on the PC or in the registry.
I have researched winlogon.exe on the net and my files seem to have the right date, time stamps, and byte count - there are 2 versions of the file in the windows/system32 and windows/system32/dllcache folders.
Further help is needed.
The only alternative I can think without help
is to reformat the hard drive and reload using the HP recovery disk set - we all know what an ardous task that can be.
If I have this problem there must be others with it, perhaps unaware of it.

Additional word re 218.66.104.248 miorsocft.com.
Since I last
posted using IE, access to 218.66.104.248 miorsocft.com seem to be related to IE specifically.
ZA blocked the access to this site when I last posted.
ZA does not seem to get the block logged when I use Firefox
Thanks for all your help

Malware writers are very sophisticated. They create files that are signed by windows and so easily integrated into the windiws OS it is amazing.

I would suggest to scan the copies of the files in question uploaded to jotti's or virustotal. Then delete all of the rogue files in the safe mode and clean the recycle bin.

Going to a HJT forum and getting help is prudent. They usually give good help and advice.

I would try the freeware scanners such as asquared from emsisoft, superantispyware, the online scan ewido from ewido.net, and so forth.

Sometimes reloading the OS is the best.
But I would use a proper disk eraser (something like DBAN), doing a complete wipe, then kill all power (pull the power cord!), and then flash the BIOS. This will make the machine perfectly clean. Any possible rootkits/troyans are removed.

Re: Rockford.discoverconsole.com

Originally Posted by esando

Has anyone heard of this?
It keeps trying to access thru &quot;MyFTP.exe&quot; every hour.
I ran the ZA scan and it stopped for a little while then it changed the time it tries to log on.
ZA blocks it's access but I am suspicious.Thanks,Ed

Probably a waste of time at this point, but myFTP.exe is related to or part of DISCover.exe & both programs are made by Digital Interactive Systems of L.A CA. A few minutes ago myFTP.exe wanted to act as a server which I denied & everything seems to be working just fine without it. I found 3 files on my PC named myFTP & scanned all 3, no infections were found.
I emailed Digital Interactive for more info but from visiting their website I doubt if they'll answer their own contact form is obviously for potential customers. Their IP is in L.A. CA & I have no idea why their software needs to act as a server, the software is used for gaming and/or burning CDs I think. Hope this helps someone out there.